[webauthn] client extension results field name is unclear (#2275) from Firstyear via GitHub on 2025-03-26 (public-webauthn@w3.org from March 2025)

From: Firstyear via GitHub <sysbot+gh@w3.org>
Date: Wed, 26 Mar 2025 00:11:15 +0000
To: public-webauthn@w3.org
Message-ID: <issues.opened-2948033166-1742947873-sysbot+gh@w3.org>

Firstyear has just created a new issue for https://github.com/w3c/webauthn:

== client extension results field name is unclear ==
## Proposed Change

https://www.w3.org/TR/webauthn-2/#idl-index

The issue with this interface is that no where in the IDL do we specify the name of the struct member that holds https://www.w3.org/TR/webauthn-2/#dictdef-authenticationextensionsclientoutputs for an attest or auth result. Because of this, it's up to implementers to "work it out" and name a member of publicKeyCredential to hold the extensions output for serialisation and transmission.

Due to this for a long time we worked quite happily with the struct member name "extensions" but MDN defines this as clientExtensionResults.

The IDL and specification needs to clearly spell out how a clientExtensionResult should be serialised and to what value name it is attached to. 

The only hint that this field might be named clientExtensionResult is here:

https://www.w3.org/TR/webauthn-2/#sctn-verifying-assertion

`Let clientExtensionResults be the result of calling credential.[getClientExtensionResults()](https://www.w3.org/TR/webauthn-2/#dom-publickeycredential-getclientextensionresults).`

But this doesn't indicate that it is credential.clientExtensionResults, only that some nebulous clientExtensionResults value now exists and needs to be sent to the RP. 

Alternately, the argument is that the communication between the javascript of the rp and the rp itself is up to the rp to define that layer, and so clientExtensionResults can be named whatever you want. This makes it harder for someone to bring their own JS to a library like webauthn-rust where they expect a standard name for this field. 

An example of where we do this *correctly* is https://www.w3.org/TR/webauthn-2/#dictdef-publickeycredentialrequestoptions which clearly spells out what dict member the extensions requests belongs to. 



Please view or discuss this issue at https://github.com/w3c/webauthn/issues/2275 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Wednesday, 26 March 2025 00:11:16 UTC